Privacy Policy
Last updated: 15 July 2026 · Medulla is operated by SHOBHA SHARMA, an individual based in Ajmer, Rajasthan, India. Medulla is a brand name, not a registered company.
The short version. We collect your name, email, exam choice, and your answers — nothing more. We use them to run your account and show your progress. We never sell your data. We never see your card details; Razorpay handles payments. If you use the AI Co-Pilot, what you type is sent to Anthropic in the United States to generate the reply. You can ask us to delete everything at any time by emailing support@medullaqbank.com.
This policy is our notice to you under India's Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025. Under that law you are the Data Principal (the person the data is about) and we are the Data Fiduciary (the person who decides how it's used). It's written to be read, not to be survived — if anything here is unclear, email us and we'll explain it.
1. What we collect, and exactly why
Each row is a separate purpose. We don't collect anything "just in case".
| Category of personal data | Why we process it (purpose) | Basis |
|---|---|---|
| Name | To address you in the app and on your receipt. | Your consent |
| Email address | To create and secure your account, send your payment receipt, and contact you about your subscription. | Your consent |
| Exam choice (FMGE / NEET-PG / INI-CET / AIIMS) | To show you the right question bank. | Your consent |
| Your answers, attempts, bookmarks and progress | To mark your tests, show your analytics, and let you resume where you left off. | Your consent |
| Payment outcome (success/failure, order reference, amount) | To activate your subscription and issue a receipt. We never receive your card number. | Performance of your subscription |
| What you type into the AI Co-Pilot | To generate an answer to your question. See section 4 — this leaves India. | Your consent |
| Basic technical data (browser type, approximate region, error logs, IP address) | To keep the service running, diagnose faults, and prevent abuse. | Legitimate use / security |
| Waitlist email + exam (pre-launch only) | To tell you when Medulla opens. Nothing else. | Your consent |
We do not want health data. Medulla is an exam-prep tool. Don't send us information about your health, or any patient's. If you paste patient information into the Co-Pilot, that's outside what this service is for and outside what you agreed to.
2. Your consent — and how to withdraw it
We ask for your consent before we process your data, and under the DPDP Act that consent must be free, specific, informed, unconditional and unambiguous, given by a clear affirmative action. That means:
- We only use your data for the purposes listed in the table above — not for anything else we think of later.
- We don't bundle unrelated consents together, and we don't make you agree to marketing in order to buy a subscription.
- Ticking a box, signing up, or paying is the affirmative action. Silence isn't consent.
To withdraw your consent, email support@medullaqbank.com from your registered address. Withdrawal is as easy as giving consent was.
What happens when you withdraw: we stop processing your data for the purposes you've withdrawn, and we delete it (see section 6) unless we're legally required to keep it. Because your account can't function without your email and progress data, withdrawing consent for those ends your subscription, and — as our Refunds & Cancellation Policy explains — that doesn't create a refund. Withdrawing doesn't make anything we did before it unlawful.
3. Who else processes your data
These are every third party involved. We share only what each one needs, and none of them may use your data for their own purposes.
| Processor | What they do | What they get | Where |
|---|---|---|---|
| Razorpay Software Private Limited | Takes your payment | Your name, email, payment amount. Your card/UPI credentials go to them directly and never to us. | India |
| Netlify, Inc. | Hosts this website and receives waitlist form entries | Your IP address when you visit; your email and exam if you join the waitlist | United States |
| Anthropic PBC | Generates AI Co-Pilot answers and Clinical View cases | The text you type into the Co-Pilot, plus the question context it relates to | United States |
| Google LLC (Google Fonts) | Serves the site's typeface | Your IP address and browser, when your browser fetches the font | United States |
We do not sell, rent or trade your personal data. We do not run advertising trackers. We share data with anyone else only if we receive a valid legal order.
4. Data that leaves India
Please read this before using the AI Co-Pilot. When you use the Co-Pilot or Clinical View, the text you type is transmitted to Anthropic PBC in the United States, which generates the reply and sends it back. Our website is hosted by Netlify, Inc. in the United States, so your IP address reaches them whenever you visit. Our typeface is served by Google LLC.
The DPDP Act permits transfer of personal data outside India except to countries the Central Government specifically restricts. The United States is not currently restricted. If that changes, we will change how we operate and tell you.
If you don't want your text processed in the United States, don't use the Co-Pilot. Every other part of Medulla — the question bank, tests, and your analytics — works without it.
5. Your rights as a Data Principal
The DPDP Act gives you these rights. All of them are exercised the same way: email support@medullaqbank.com from your registered email address, telling us which right you're exercising. We don't charge for any of this.
| Your right | What it means | Our timeline |
|---|---|---|
| Access | A summary of the personal data we hold about you, what we're doing with it, and who we've shared it with. | 30 days |
| Correction | Fix anything inaccurate or misleading. | 30 days |
| Completion | Complete anything incomplete. | 30 days |
| Updating | Bring anything out-of-date up to date. | 30 days |
| Erasure | Delete your personal data and close your account, unless a law requires us to keep it. | Within 90 days |
| Grievance redressal | Complain about how we've handled your data or your request. See section 8. | Acknowledge 2 working days · resolve 30 days |
| Nomination | Nominate another person to exercise these rights on your behalf if you die or become incapacitated. | Confirmed within 30 days |
To nominate someone, email us their name and contact details and your relationship to them. You can change or cancel a nomination whenever you like. We may need to verify a nominee's identity and their entitlement before we act on their request.
We may ask you to confirm your identity before we act — that protects you from someone else making a request in your name. Erasing your account ends your subscription and does not create a refund (see Refunds & Cancellation).
6. How long we keep your data
We erase your personal data when it's no longer needed for the purpose it was collected for. In practice:
| Situation | What happens |
|---|---|
| You ask us to erase it | Erased within 90 days. |
| You withdraw consent | Erased once we've stopped processing, unless a law requires otherwise. |
| Your account is inactive for 3 continuous years | We email you a warning at least 48 hours beforehand, then erase your account and personal data. |
| Your subscription simply ends | We keep your account so you can return and keep your history — until the 3-year inactivity rule applies. |
| Payment and tax records | Retained as long as Indian tax and accounting law requires, even after erasure of the rest. This is a legal obligation we can't waive. |
"Inactive" means you haven't logged in or contacted us. Anything we keep after erasure is limited to what the law requires and isn't used for anything else.
7. If there's a data breach
If your personal data is exposed by a security breach, we will:
- Notify you directly, and notify the Data Protection Board of India, within 72 hours of becoming aware of it.
- Tell you plainly what was exposed, when, and what the likely consequences are.
- Tell you what we're doing about it and what you should do — for example, change your password, or watch for phishing.
- Not quietly downplay it. You'll hear it from us first.
8. Grievances — how to complain
If you're unhappy with how we've handled your data or your request, here's the route. We don't hide behind a form.
- Email support@medullaqbank.com with "Grievance" in the subject line. Tell us what happened and what you want done.
- We acknowledge within 2 working days and aim to resolve within 30 days.
- Not satisfied with our response — or haven't heard back in 30 days? Reply to the same thread with "Escalation" in the subject line and it goes straight to the person who operates Medulla.
- Still not satisfied? You have the right to complain directly to the Data Protection Board of India. We won't obstruct that, and you don't need our permission.
Grievances are handled by SHOBHA SHARMA, who operates Medulla and is personally responsible for data protection here. We're a small operation and are not a Significant Data Fiduciary, so we don't have a separate Data Protection Officer — you're dealing directly with the person who runs the service.
9. Cookies and local storage
We use your browser's localStorage to remember practical things: that you're signed in, which exam you chose, and where you'd got to in a test. We use only the cookies needed to run the service.
We do not use advertising cookies, and we do not run third-party ad or analytics trackers. You can clear this at any time in your browser settings — you'll be signed out and any unsaved local state will be lost.
10. Security
We protect your data with reasonable technical measures, including encrypted connections (HTTPS) and hashed passwords — we never store your password in a readable form. No system is perfectly secure and we won't pretend otherwise; if a breach affects you, section 7 says what we'll do.
11. Age
Medulla is for adults aged 18 and over only. We do not knowingly collect personal data from anyone under 18. If we discover that we have, we'll delete it. See our Terms of Service.
12. Changes to this policy
If we change this policy in a way that affects you, we'll email you before it takes effect. We'll keep the "last updated" date at the top honest.
13. Contact
Data protection questions, rights requests and grievances:
- Email: support@medullaqbank.com
- Post: SHOBHA SHARMA, P.No. 05, Kh.No. 494, Alakhnanda Colony, Nosar, Ajmer, Rajasthan – 305001, India